NTFS Encryption after removing the account password

braytonak · Sep 25, 2005

I just got a call from my brother about his encrypted files on his computer. The files were encrypted via WinXP's native encryption. He said he was getting annoyed with the User password on his account, so he went to the control panel applet and removed the user password. Well, this also means that you can't access your Encrypted files anymore.

If he puts the same password back on the account, will the encrypted folders suddenly be accessible again? I'm hoping that this is the case, because his entire user account folder under Documents & Settings is encrypted (prying girlfriend, I guess). This means that his desktop and applications went haywire when he removed the password.

So any ideas? Will putting the password back in place solve the dilema?

Robor · Sep 25, 2005

I've never used the encryption feature but can't the administrator account on the box take ownership or unencrypt the files that were encrypted?

I'd try resetting the password on the account first and see if that solves it. if not have a look here and see if this helps at all... http://support.microsoft.com/default.aspx?scid=kb;en-us;308993

stash · Sep 25, 2005

I've never used the encryption feature but can't the administrator account on the box take ownership or unencrypt the files that were encrypted?

Definitely not.

Nothinman · Sep 25, 2005

I've never used the encryption feature but can't the administrator account on the box take ownership or unencrypt the files that were encrypted?

If it was that easy to bypass the encryption would be worthless.

Genx87 · Sep 25, 2005

One they are encrypted I believe there are a set of master keys that Microsoft owns and or you have to do it on the machine where they originated from.

Nothinman · Sep 25, 2005

One they are encrypted I believe there are a set of master keys that Microsoft owns and or you have to do it on the machine where they originated from.

MS does not have any master keys, I believe you can define a recovery agent account that will also be able to decrypt everything but you have to do it before you encrypt anything for it to actually work.

stash · Sep 26, 2005

Originally posted by: Genx87
One they are encrypted I believe there are a set of master keys that Microsoft owns and or you have to do it on the machine where they originated from.

And we also put chips in the brains of every newborn since 1995 that sends their purchasing tendencies to the mother ship!

:disgust:

stash · Sep 26, 2005

but you have to do it before you encrypt anything for it to actually work

Getting back to reality for a sec...

This actually isn't quite true. If you have an encrypted file and you then define a recovery agent, you can use the cipher command line tool to touch every encrypted file to update that info. The command is cipher /U.

Nothinman · Sep 26, 2005

This actually isn't quite true. If you have an encrypted file and you then define a recovery agent, you can use the cipher command line tool to touch every encrypted file to update that info. The command is cipher /U.

I figured there was a way to force a reencryption of all the files with the additional key, but I didn't know what it was or if even just opening/saving or copying the file would do it. But it's irrelevant anyway, no one would even know that the files need to be reencrypted let a lone to look at the cipher command.

stash · Sep 26, 2005

but I didn't know what it was or if even just opening/saving or copying the file would do it.

That would do it too.

But it's irrelevant anyway, no one would even know that the files need to be reencrypted let a lone to look at the cipher command.

Huh?

Nothinman · Sep 26, 2005

I'm sure people would assume that if you add a recovery agent account after the fact that it takes affect on all currently encrypted files. No one is going to know that the files need reencrypted in order for the recovery agent to be useful.

stash · Sep 26, 2005

True. Although, like you mentioned, simply opening and closing the file will update it as well. Usually, touching all the files on a system to update them with new recovery information would be something that is done by the admins, since they would be controlling the recovery agent policy in the first place.

If you are doing recovery agents in a standalone environment, then you would have to remember to touch all files to update them. There isn't any around it, the DRF needs to be updated with the new FEK.

braytonak · Sep 26, 2005

Well, it looks like if the password is removed, which causes the files to be locked, they can definitely be restored by putting the same password back on the account. At least I know that little workaround, although I would be surprised if it happened to me again. hehe

stash · Sep 26, 2005

That's not really a workaround, you are just changing your password back to the same password that is protecting the master key on your system, which in turn protects your EFS key.

Changing your password should not lock you out of your encrypted files. There have been some issues with this and you can read about them on the Microsoft website. I believe there is a hotfix for this particular issue, but I'll need to research.

braytonak · Sep 26, 2005

Well, "workaround" was probably a bad word. Removing your password, which is what my brother did (and was warned by the system about doing) is what locked him out of his files. When your entire user folder in Documents & Settings is encrypted, it makes for a f'd system. I wasn't sure at the time if just putting the same password back on the account would solve the issue, which it did. We just turned around and unencrypted everything before removing the password again.

True, *changing* the password doesn't cause encryption issues, but removing the password in Windows XP does cause problems. I couldn't duplicate the problem in Windows 2000.

stash · Sep 26, 2005

Removing password, changing password == same thing. Setting the password to NULL is changing the password. It should not matter at all to EFS.

But I suspect this has more to with encrypting the entire profile. There are things that should not be encrypted, and other that cannot be encrypted while the profile is loaded (ntuser.dat, as well as the desktop. The desktop can be encrypted if you kill the shell, though).

Really the only folders you should worry about encrypting in a profile are My Documents, Local settings\Application Data\Microsoft\Outlook (your mail), and maybe desktop (kill the shell to do this).

Yes, this does have to do with encrypting the profile, now that I think about it. The master keys are stored in the profile, and you encrypted them. If you change your password, the master keys cannot be updated, so you lose access to your EFS key and therefore lose access to the encrypted files.

braytonak · Sep 27, 2005

Originally posted by: STaSh
Removing password, changing password == same thing. Setting the password to NULL is changing the password. It should not matter at all to EFS.

So if this is the case, why does Windows XP warn you that removing a password will cause previously encrypted files to become inaccessible? I have had Windows warn me of this once back when I was playing around with encryption after reading something about it during a ceritification study. I couldn't get Windows 2000 to warn of this, but Windows XP did.

When I was doing this as an experiment a month ago, I was trying to remove the password from another mock-up account. My brother got the warning when doing this on his own account. I was using Computer Management and he was using the User Accounts control panel. The relief is that just reapplying the old password will enable access again, in this scenario.

Doug117 · Sep 27, 2005

Heres an idea... try it yourself!! I'm really out of the loop when it comes to this kind of stuff (used to know it). But it seems that changing the password wont screw with EFS. EFS is tied to the user account. EFS would be worthless if you couldnt decrypt your files by changing a password (think Corporate scenario where you have to change your password every 30d or so). EFS generates a private key which gets stored in the registry hive, and is viewable/exportable via the MMC snapin certmgr.msc. So quick answer is no, changing password (correctly) will not screw EFS up. Deleting the user account, however, will. By correctly I mean by pressing Ctrl-Alt-Del, and not choosing set password in Computer management. That WILL screw things

Thats why the little box that pops up says "you should only use this command only if you've forgotten the password and do not have a password reset disk. If you know the current password and want to change it press Ctrl+Alt+Delete and click change password" And if you press help it tells you why. Gosh, windows actually tells you what you want to know

imported_Phil · Sep 27, 2005

Originally posted by: STaSh
Yes, this does have to do with encrypting the profile, now that I think about it. The master keys are stored in the profile, and you encrypted them. If you change your password, the master keys cannot be updated, so you lose access to your EFS key and therefore lose access to the encrypted files.

:laugh:

That makes a lot of sense

stash · Sep 27, 2005

You are hung up on the password. The password is not your problem here, it's that you encrypted the entire profile directory.

NTFS Encryption after *removing* the account password

Junior Member

Elite Member

Diamond Member

Elite Member

Lifer

Elite Member

Diamond Member

Diamond Member

Elite Member

Diamond Member

Elite Member

Diamond Member

Junior Member

Diamond Member

Junior Member

Diamond Member

Junior Member

Senior member

Diamond Member

Diamond Member

NTFS Encryption after removing the account password